Wednesday, February 15, 2017

I'll start this post by saying I half expect to get a cease and desist over it. If that happens, know that HP doesn't stand by their marketing and is using lawyers to silence those who would challenge them.

HP kicked off RSA with a big push on printer security. I stopped by the booth and they have a few people standing around (customers and employees). I asked (seriously, not trolling) what the sales pitch is. I said I'd like to hear the technical side. I say "I'm an infosec consultant, what real world examples of printer exploitation can HP share with me that will get my clients serious about printer security?" The obvious sales lady passes me off to one of two engineers at the booth. The other engineer is already talking to someone. The other engineer (the one not talking to me) says to the guy he's talking to:

You have to take print security seriously. Did you know that Stuxnet attacked the print spooler?

Now this is some USDA Grade A FUD. First, Stuxnet didn't attack printers at all. The print spooler? Sure. On Windows. If a tag line for your printer security campaign is a vulnerability patched in 2010 (MS10-061) on something that isn't even your platform, well, bravo. I'd like to induct this salesperson/engineer into the snake oil hall of fame (or ninth circle of hell, I'm actually not picky here).

Before I can interrupt "Mr Stuxnet" my engineer starts talking to me. I ask him the same question I asked the "sales only" person at the booth. He says:

Did you hear about the tens of thousands of printers hacked in the last few weeks? It's been all over the news.

Um yeah (he's talking about this), but those were printers directly connected to the Internet. I'm not concerned about that, or Weev, spewing garbage to my printers. I ask about the narrative they seem to be suggesting where the printer is used to compromise the rest of the network. Can your printer really be used to compromise the rest of the network? Have you ever seen it? Do you have a single case, even without naming the victim, that you can point to?

*Note: I don't need anyone to cite a talk at *CON where someone did a PoC. I'm talking real world.

It turns out the answer is no. The HP engineer says that they have responded to dozens of networks (later throws out the number 60) and says that in two of them they've found printer firmware that "had a different checksum from ours." He won't commit to saying it was modified, just repeats that "well, the checksum was different." I'm intrigued, tell me more. He says that they suspect it would have been nation state since these networks were known to have been hacked by nation state actors in the past. Okay, cool. Since you found this "modified" firmware, you certainly reverse engineered it, right? Well, yes they did, but "unfortunately HP Labs is very secretive" and is "unlikely to share anything they find." And this was like four years ago and I haven't heard anything back so lets move on.

Wait, WUT?! You found firmware that wasn't yours loaded onto printers four years ago, sent if for reversing and you got nothing back? This is the sort of thing that literally screams "take my money" and you have no information on it. Okay, I think I see what you found: nothing.

When pressed for more examples of printer exploits, we got stuff like "Do you know what can be done with PCL and PostScript?" Yes actually, which is why you're really not scaring me. Again, show me examples of this happening in the wild. Do you have document hashes in VirusTotal that show demonstrations of attackers doing this stuff? My clients want to focus on real threats, not hypothetical ones.

Luckily I didn't pay attention to the video playing in the HP booth while I was there. When I came back to my hotel room I actually watched this vile piece of filth.WARNING: you'll never get this six minutes of your life back.

This video features tag lines like "nothing is safe" and "There are hundreds of millions of business printers in the world. Only 2% of them are safe." This is FUD to the nth degree. The fact that Christian Slater, who stars in Mr. Robot, is hacking the printers is designed to give it a more realistic bent. But it's not realistic. How did Slater get on the wireless network to pwn these printers? And were they configured with default credentials? And how did he just happen to have firmware for these specific models. And why FFS were the printers not checking a digital signature on the firmware. So many questions...

And this all made me mad until Twitter user Jason Testart told me that HP was sending electronic marketing material to executives (likely CIOs) to get them to invest in printer security. Then I was just furious.

According to Jason, that thing in the middle is a cell phone screen that plays marketing material (presumably the Christian Slater video?). In today's digital age, it is environmentally irresponsible to create such waste in advertising materials. Cell phone screens? Really? I'm sure this is flashy and I'm sure people look at it before throwing it away. But I'm a little outraged at the waste - especially when used to spew such deceptive FUD.

Real Security
Securing your printing environments isn't hard. If you need help, contact me at Rendition Infosec and I'll be happy to help you. But I'll save you all sorts of money up front and tell you that it involves basics like not connecting your printer directly to the Internet, not exposing unnecessary services (turn off LDAP on your multi function device if you don't use it), and change default credentials on your print devices that have a web interface. Turn off wifi if you don't use it (you shouldn't be using wifi for your printer, honestly). Then back this all up with network monitoring. Find your printer beaconing to China? Isolate it from the rest of the network, then call someone who can reverse engineer the printer implant. While you're at it, hunt the rest of your network. The attackers didn't just compromise the printer.

Closing Thoughts
In closing, things like this make me sad to be in infosec. I know that I'm not making much of a dent here raging on how dumb this printer security push is (in the overall scheme of things). But please don't make my efforts in vain. Your CIO probably got a cardboard encrusted cell phone screen from HP. Talk to them. Tell your CIO this is FUD. Tell them you probably need to invest money in basic infosec blocking and tackling. Then feel good about changing the world for the better.